In an X509 certificate, the cRLDistributionPoints extension provides a mechanism for the certificate validator to retrieve a CRL(Certificate Revocation List) which can be used to verify whether the given certificate is revoked.

A cRLDistributionPoints extension can contain one or more DistributionPoints where the CRL can be retrieved from. Each DistributionPoint consists of three fields,each of which is optional:

distributionPoint : it contains either a SEQUENCE of general names or a single value. One distributionPoint can contain one or more general names which show where the CRL is stored

reasons,:

cRLIssuer : It identifies the entity who signs and issues the CRL

In this post, we will cover only the case where only distributionPoint is set. OpenSSL is used here to demonstrate how to generate certificate with cRLDistributionPoints extension. But before that, we first need to generate normal keys and certificates so that they can be used later.

Here ca.key and ca.crt will be used to sign the leaf.csr. leaf.csr is the certificate signing request.

Multiple distributionPoints

First, let's show how to generate certificate with multiple distriutionPoints in the cRLDistributionPoints extension. We need to create an extension config file which contains the distributionPoints we want to set. For example :